On July 10, 2023, the European Commission issued an adequacy decision implementing the EU-U.S. Data Privacy Framework (DPF). The adequacy decision acknowledges that U.S. organizations that comply with the DPF provide equivalent protections to personal data as those protections required under the EU’s General Data Protection Regulation (GDPR). U.S. organizations will have the opportunity to self-certify for compliance with the DPF by registering with the U.S. Department of Commerce and formally attesting to compliance with the DPF principles. The DPF will be enforced by the Federal Trade Commission.[1]
We anticipate most U.S. organizations doing business in Europe will prepare for and certify for DPF with DPF effectively becoming a proxy for a federal privacy law.
For background, under the GDPR, organizations can transfer data from the EU to the U.S. using one of several legal data transfer mechanisms. Most commonly, organizations rely on the use of standard contractual clauses (SCCs) as their legal data transfer mechanisms. SCCs are contractual clauses describing data protection and privacy obligations and are typically included as an appendix to contracts. There are other legal data transfer mechanisms such as binding corporate rules (BCRs) or an EU adequacy decision.
Prior to the EU Commission adequacy decision for the U.S. on July 10, 2023, only 14 countries had been recognized by the European Commission via an adequacy decision as having adequate data protection. These countries include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, and Uruguay.[2] Now, U.S. organizations that certify under DPF will benefit from the adequacy decision.
This article series focuses on the practical and operational considerations for U.S. organizations that are considering certifying under the DPF.
- Customer expectations and impact to deal cycle times: Why should an organization even bother certifying with the DPF? The answer is simple…because your customers, strategic partners, and potential acquirers will check to see if you are certified as a method to assess your privacy compliance posture. This is one of the few moments where data privacy compliance activities can translate into revenue and enterprise value for your organization. If you are certified under DPF, you should be able to benefit from decreased deal cycle times due to decreased due diligence on your privacy program and/or scrutiny over contractual data privacy terms. Use the DPF certification to show your customer your organization is serious about data privacy compliance.
- Transition from https://www.privacyshield.gov/welcome to https://www.dataprivacyframework.gov/s/: As of writing this article on July 12, the home page of privacyshield.gov website includes a message that states, “In preparation for the launch of the Data Privacy Framework (DPF) program website (www.dataprivacyframework.gov) on July 17, 2023, the Privacy Shield program website (www.privacyshield.gov) is scheduled to be taken offline on July 14, 2023, at 9:00 pm EST. The DPF program website is scheduled to be brought online by July 17, 2023, at 5:00 am EST. Individuals with active accounts that were used with regard to the Privacy Shield program website will be able to use their existing login credentials for those accounts on the DPF program website.”[3]
The migration of the sites is not significant, but once the new site is up, it will signify that companies can start the first step for compliance by reviewing the requirements of the Privacy Shield compared to the DPF to identify gaps in compliance. The outcome of such a comparison will be the focus of our next article.
- If your organization was previously certified under Privacy Shield: We understand that if your organization was previously certified under Privacy Shield, that your self-certification will be transferred into the DPF. Presumably later this year, you should anticipate the need to update the language references in your privacy policy to reflect the change from “Privacy Shield” to “Data Privacy Framework.”
- Memories of Privacy Shield and GDPR go-live in May 2018: Our privacy team helped many organizations prepare for and certify under Privacy Shield in advance of GDPR go-live in May 2018. What we observed were significant wait times between when their application was submitted to when the application was approved by the Commerce Department. We recall 3-to-6-month delay timeframes in certain cases. If this holds true this time around, the time needed for DPF certification could be even longer, especially given the increased demand for the certification. As such, if your organization does not have a current active Privacy Shield certification and is planning to certify under the DPF, we recommend starting the evaluation, gap closure, and certification process soon.
In our next article, we will review the requirements of the DPF with a focus on overlaps with both the GDPR and California Privacy Protection Act (CCPA) as well as an overview of the requirements that we believe will be most difficult for organizations to comply with.
[1] https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
[2] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
[3] https://www.privacyshield.gov/welcome. Retrieved July 12, 2023.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.